SafeBreach catches vulnerability in controversial HP Touchpoint Analytics software

After being notified on July 4, HP waited four months before issuing a security notice.

Stephen Hawking and HPE will use data to learn how the universe began
Hawking's COSMOS group will use the Superdome Flex supercomputer to analyze gravitational wave data, says Alison DeNisco Rayome of TechRepublic.

Since the introduction of HP Touchpoint Analytics users in 2017, it has been a focus of controversy. In 2017, HP said the function "collects anonymously diagnostic information about hardware performance. No data is shared with HP unless access is expressly granted. Customers may opt out of participating or uninstalling the service in any moment".

But users have continued to fill out forums with complaints about it, ranging from security questions to claims that it slowed down their computers

Now the feature is involved in another minor controversy after SafeBreach security researchers said They discovered a new vulnerability. HP Touchpoint Analytics comes preinstalled on many HP devices running Windows. Each version below 4.1.4.2827 is affected by what SafeBreach found.

In a blog post, SafeBreach Labs security researcher Peleg Hadar said that because the service runs as "NT AUTHORITY SYSTEM", it is granted extremely powerful permissions that grant its wide access.

"Vulnerability CVE-2019-6333 offers attackers the ability to load and execute malicious charges using a signed service. An attacker can abuse this ability for different purposes, such as execution and evasion, for example: Applications whitelist omits the signature validation omission, "Hadar wrote.

"The components that allow HP Touchpoint Analytics to access sensitive low-level hardware (such as physical memory, MSR and SMBios) are provided by an open source hardware monitoring library called & # 39; Open Hardware Monitor & # 39; "

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)

T The SafeBreach report explained that the security flaw was found within of the HP Touchpoint Analytics open source software program and demonstrated how it could be used by cybercriminals to gain privilege escalation and persistence when loading an arbitrary unsigned DLL into a service running as SYSTEM.

Lindsey O & # 39; Donnell in Threatpost explained that "the affected software, Open Hardware Monitor, monitors temperature sensors, fan speeds, voltages, charging and clock speeds of a computer. It is used by tens of millions of computers and is a key third-party component of HP Touchpoint Analytics. "

At the end of the problem report, Hadar notes that SafeBreach notified HP of the vulnerability on July 4, 2019 and went through a long round-trip period that lasted four months. HP only released a security bulletin on the problem earlier this month on October 4.

"HP is widely distributing this Security Bulletin to draw the attention of users of affected HP products to the important safety information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action, "HP said in the notice.

"HP does not guarantee that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be liable for damages resulting from user use or breach of the information provided in this Bulle. To the extent permitted by law, HP disclaims all warranties, whether express or implied, including warranties of merchantability and fitness for a particular purpose, title and non-infringement. "

The company has long had to defend HP Touchpoint Analysis against critics who say it gives HP unnecessary access to user systems. When it was first noticed in 2017, dozens of users complained that they had not consented to add the system.

"I found HP Touchpoint Manager unexpectedly implemented on my PC earlier this week (11/16), obviously without my consent." I understand that all kinds of telemetry data is closed, and I am not willing to share too much of them. really, definitely not without my knowledge, "one user wrote in November 2017.

At that time, HP was forced to publish a statement saying that the service was offered since 2014 as part of HP Support Assistant." They reiterated that HP did not collect any data without being "expressly granted", something that users still dispute.

"HP Touchpoint Analytics was recently updated and there were no changes to the privacy settings as part of this update. We take customer privacy very seriously and act in accordance with a strict policy, available here," the statement said. of the company in 2017.

See also

How to become a cybersecurity professional: A cheat sheet (TechRepublic)
The Mastermind scammer behind Catch Me If You Can talks about cybersecurity (download TechRepublic)
Windows 10: a guide for leading businesses (TechRepublic Premium)
Online Security 101: Tips to protect your privacy from hackers and spies (ZDNet)
The best password managers of 2019 (CNET)
Cybersecurity and cyberwarfare: More mandatory reading coverage (TechRepublic on Flipboard)

"data-credit =" Image: Getty Images / iStockphoto "rel =" noopener noreferrer nofollow ">

Image: Getty Images / iStockphoto

For More Updates Check out Blog, Windows Softwares Drivers, Antivirus, Ms Office, Graphic Design Don’t Forget to Look Our Facebook Page Get Into Pc like us & follow on Twitter- @getinpc